Don't know about you, but I've always wanted to know the things they don't want me to know. Not for political or monetary gain, but just because I'm not supposed to. For instance, wouldn't you just love to know how fine is the detail that U.S. spy satellites can resolve on the ground? (Cold War joke: a sign on the roof of the Pentagon says, in 6-inch-high letters: "If you can read this / you're where we were / 8 years ago.") Wouldn't you love to know if the NSA and/or the CIA is really listening in on U.S. citizens' phone and Internet traffic? (One of my favorite .sig's, originator unknown, reads: "The NSA is now funding research not only in cryptography, but in all areas of advanced mathematics. If you'd like a circular describing these new research opportunities, just pick up your phone, call your mother, and ask for one.") Wouldn't you love to know whether the NSA can break messages encrypted with a 512-bit PGP key?

On 1996-01-28 Harvard Law School hosted a symposium titled "Information, National Policies, and International Infrastructure." Paul Strassmann (National Defense University) and William Marlow (Science Applications International Corporation) gave a talk [1] entitled "Anonymous Remailers as Risk-Free International Infoterrorists." A week later an attendee, an Austrian economist named Viktor Mayer-Schoenberger, wrote a note [2], [3], [4e] apparently to the "help" email address of HotWired; at some point the note was posted anonymously to a number of newsgroups on anonymity and politics. I have not been able to find an email address for the author.

The note makes some alarming claims about what the presenters said in answer to questions at this symposium. I wrote to Strassmann and Marlow about the accuracy of these observations. Strassmann replied today that what the attendee reported was a personal interpretation of what had been said and was out of context. They plan to issue a statement correcting what was reported. I'll post a pointer to it here, assuming the authors grant permission.

Note: URLs [2] and [3] below were obtained from an Alta Vista search [4]. You may have trouble following these links. In particular [2] resides on Alta Vista's Usenet spool and its lifetime there will be at most two weeks. [3] will work only from a Netscape browser; and at the moment the Domain Name Service is disclaiming knowledge of anon.penet.fi. Reissuing the Alta Vista search [4] might turn up more hits later as other Usenet newsgroups' traffic is indexed by the superspider.

[1] http://www.strassmann.com/pubs/anon-remail.html
[2] http://ww2.altavista.digital.com/cgi-bin/news?msg@1142@alt%2eprivacy%2eanon%2dserver
[3] news:132317Z03031996@anon.penet.fi
[4] http://altavista.digital.com/cgi-bin/query?pg=aq&what=news&fmt=d&q=Strassman+and+Marlow+and+Chaarles&r=&d0=&d1=&text=yes
[4a] http://metacrawler.cs.washington.edu:8080/
[4b] http://www.metatrout.com/~jwehling/NSARemailer.html>
[4c] http://www.consilpdx.com/~jwehling/NSARemailer.html>
[4d] 'The intelligence coup of the century'
[4e] https://is.gd/gZEWiV

On 1996-03-05 Senator Patrick Leahy (D-VT) introduced the Encrypted Communications Privacy Act of 1996 in the Senate and held a press conference with Senate and House cosponsors. The Senate [5] and House [6] versions differ somewhat; only the Senate version makes any reference to key-escrow schemes that the administration has been pushing, and consumers and corporations rejecting, for several years. The bills would waive export restrictions on such "generally available" software as PGP and popular Web browsers. They would impose criminal penalties for the use of encryption in the commision of a crime. While most civil liberties and privacy organizations applaud the bills as a good start, all have some issues with it. See the analyses of EPIC [7], CDT [8], and VTW [9]. EPIC [7] in particular catches subtle implications in the Senate bill that would prolong the NSA's unwelcome involvement in commercial encryption. Two noted cryptgraphers, Matt Blaze [10] and Bruce Schneier [11], have written open letters to Sen. Leahy that generally praise the bill but express reservations with the provisions criminalizing some uses of encryption.

[5] http://www.epic.org/crypto/legislation/s1587.html
[6] http://www.vtw.org/archive/960305_235808
[7] http://www.epic.org/crypto/legislation/s1587_analysis.html
[8] http://www.cdt. org/publications/pp_2.9.html
[9] http://www.vtw.org/archive/960305_120857
[10] http://www.vtw.org/archive/960305_124928
[11] http://www.vtw.org/archive/960306_000807

On 1996-03-04 a group of long-distance carriers petitioned the Federal Communications Commission to stop companies from selling software and hardware products that enable use of the Internet for long-distance voice calls. A handful of companies sell software, mostly in the $50 range, for this purpose; the free software is even more plentiful [12], [13]. At first glance these tools don't look like much of a threat to established long-distance carriers. The quality of Internet phone connections is generally poor and they are subject to the unreliability that characterizes the overloaded Net today. Also, the various software packages aren't compatible; you can only talk to someone who has the same software you do. One estimate puts the current number of users at 20,000 according to a story in the _Boston Globe_ today. The FCC has moved with uncharacteristic speed in scheduling public comment on the question; petitions for rule-making commonly sit for weeks or months without action, but within 2 days the agency had set an April 8 date for comments.

[12] http://rpcp.mit.edu/~asears/main.html
[13] http://www.northcoast.com/savetz/voice-faq.html

Dan Bricklin , one of the original authors of Visicalc, these days has a product called "demo-it!" for mocking up conceptual demos of software that hasn't been prototyped yet. He was asked by David Coursey , organizer of the annual Demo conference and editor/publisher of PC Letter, to come up with something amusing for Demo 96 in late January. Bricklin's "ChiaPaint" demo near about brought down the house, reports say, and earned him the honorary title of "Demo God." If you run Windows 3.1 or Windows 95 you simply must download this demo [14]. It contains a Readme file with a script that will enable you to render your own friends and family helpless with laughter. The Readme is also available separately at [15].

Here is a description of Bricklin's star turn from Nando, the official newspaper of Demo 96:

> The most entertaining event of the day was Dan Bricklin's demo of
> ChiaPaint. At first it appeared to be a Java-based variation on Kid-
> Pix, where you could mark up clip art with goofy tools like "fur" or
> "lots 'o hair," but as Bricklin encountered a series of ever more
> ridiculous error messages, most of which demanded that he enter his
> credit card number to extend his license for various Java objects,
> it became clear that it was a satire of the Sun-Oracle vision of net-
> work-centric computing -- a vision that, judging from the audience's
> howls of laughter, most of them don't share. The final punchline was
> that the joke was also a real demo -- of Bricklin's demo-it utility.

[14] http://www.pcletter.com/PC%20Letter%20Online/bricklin.html
[15] http://www.pcletter.com/dbreadme.html

Kevin McCurley , one of the perpetrators of DigiCrime (see [16]), maintains a page [17] of links to the home pages of crypto researchers. The last time I visited 72 were listed. [Note added 1996-12-20: URL updated for moved page; the count is now 90 and includes 3 research groups. -- KD]

[16] http://www.tbtf.com/archive/1995-12-31.html
[17] http://www.swcp.com/~mccurley/cryptographers/cryptographers.html

First there was Four11 [18]; then there was WhoWhere [19]; then a half-dozen others. In the same way that Alta Vista [20] trumped the full-text, full-Web search engines, SwitchBoard [21] has trumped the people-finding Web pages. This site gives you free access to the 100 million personal and business listings in the Database America CD-ROM; and you can write to it too. The site certainly raises disturbing questions of privacy. My phone number and address are visible to the greater Internet, until and unless I visit , register with them, and change my listing. I'm sure they tried to eliminate unlisted (our British cousins would say "ex-directory") numbers from the database, but with upwards of 30% of U.S. customers requesting unlisted status, how many do you suppose slipped through? There's worse. As far as I can see there is nothing to stop me from searching for "Patrick Buchanan," picking on the candidate's listing to say "that's me," giving an anonymous email address, receiving a password there, and then adding insulting and libelous material to Mr. Buchanan's SwitchBoard listing.

From Ryan Conley <nfn00634 at naples dot net>, 1996-03-26: "Switchboard at first seems first-rate, but there is one staggering shortcoming. It has a limit (about 10 letters) to how long a name can be to be included in the database. For instance, the computer believes that there is no one in the whole country with the first name of 'Christopher.' It's too long. Try it and see. I have sent them mail about this."

[18] http://www.four11.com/
[19] http://www.whowhere.com/
[20] http://www.altavista.digital.com/
[21] http://www.switchboard.com/

Between 1995-10-15 to 1995-11-31, six Macintosh Internet companies offered a $10,000 prize to anyone who could read one protected line from a particular public Web page; the target was secured only by off-the-shelf Macintosh software (StarNine's WebSTAR server and NetCloak, a CGI application from Maxum Development). The goal was to raise awareness of the Macintosh server as a highly secure Web platform. The results [22] of the challenge were published in TidBITS. Bottom line: no-one collected.

[22] http://www.dartmouth.edu/pages/TidBITS/issues/TidBITS-317.html#s5

Responding to the publicity about security holes in Navigator 2.0 resulting from the JavaScript language implementation, Netscape has promised to fix at least two of the three outstanding problems in a release 2.01 due out this week. On 1996-02-29 Brendan Eich posted a response [24] to the security concerns. (You will need the Netscape browser to retrieve this URL.)

[23] http://www.tbtf.com/archive/1996-02-27.html
[24] snews://secnews.netscape.com/31367495.7AAE@atm.mcom.com

On 1996-02-18, Drew Dean posted a note [25] to the Risks forum detailing the findings of a group Princeton researchers. They had discovered a flaw that would allow a Java applet, after separate subversion of the Domain Name System, to make an arbitrary network connection. Sun responded quickly and prepared a patch [26] for the affected platforms, Win 95, Win NT, and several flavors of Unix. Sun's response is at [27].

[25] http://www.cs.princeton.edu/~ddean/java
[26] http://www.netscape.com/comprod/mirror/java-patch-download.html
[27] http://www.netscape.com/newsref/std/java_security.html

I found the pointer to this engrossing account [28] (OK, it's engrossing if you are now or have ever been a programmer) on Rich Graves's Hack Microsoft page [29]. Written by Andrew Schulman , it gives the lowdown skinny on the Win95 Registration Wizard, first fingered in TBTF for 1995-05-23 [30]

[28] <ftp://ftp.ora.com/pub/examples/windows/win95.update/regwiz.html>
[29] <http://www.c2.org/hackmsoft/>
[30] <http://www.tbtf.com/archive/1995-05-23.html>

>>From Edupage (1996-03-03):

> FLAW FOUND IN KERBEROS SECURITY SYSTEM
> Researchers at Purdue University have discovered a flaw in the popular
> Kerberos computer-security system that affects the way Version 4 of the
> software creates the secret keys for encryption. The problem does not
> affect Version 5, unless it is run in a way that emulates Version 4. The
> software is supposed to select its keys randomly from among billions of
> numbers, but the problem occurs in the random-number generator, which is
> selecting from a much smaller pool of perhaps a million or so, making it
> much easier for an intruder to crack the key. "Basically, we can forge
> any key in a matter of seconds," says Purdue professor Eugene Spafford.
> The CERT Coordination Center at Carnegie Mellon University has issued an
> advisory on the problem -- CA-96.03 -- and recommends using "patches" to
> fix the flaw. < http://www.sei.cmu.edu/technology/cert.cc.html >
> (Chronicle of Higher Education 1 Mar 96 A29)